CFO email scams are increasingly ingenious

Email isn’t just a productivity black hole, it seems. No, your inbox is now ground zero for costly scams targeting CFOs and CEOs. These ‘whaling’ attacks are on the rise, so how can finance leaders insulate the business -- and themselves -- from the criminals?

The FT’s recent report on the London Blue hackers slipped under the radar. Understandable perhaps amid the unfurling chaos that is Brexit, but the report’s contents are troubling. London Blue, as the hacker group is called, has compiled a list of 35,000 CFOs, including some at the world’s biggest banks and mortgage companies.

Hackers then use such lists to target finance leaders with what’s known as business email compromise (BEC) or 'whaling' scams. A whaling attack is where a cybercriminal masquerades as a senior figure at an organisation with the aim of stealing money or sensitive information - and it's whaling as opposed to phishing because it targets company leaders.

It sounds simple, but such attacks are dangerously on the rise and have cost businesses north of £9bn since 2013. In one particularly egregious example, a whaling attack cost one Austrian manufacturing firm £38m (not to mention the CFO’s job).

BEC scams sound rudimentary but carried out by a cunning scammer, it takes on layers of nuance. AccountingWEB columnist and seasoned finance director Kate Coles has experienced these scams numerous times.

“In previous roles, I’ve had many emails purporting to be from my CEO or CFO asking for an urgent payment,” said Coles. Sometimes these were easy to dismiss, but other times the emails were harder to filter.

“The email addresses were really similar to the official work email address – an extra letter here or there which you wouldn’t notice on a quick glance. Some of them were really well written – no stereotypical spelling mistakes that often give away a scammer.

“In fact, this ended up being a giveaway on one occasion: I received an email purporting to be from my boss, but the language was far more formal than his usual email style. However, if I were not familiar with his style, I might not have picked it up.”

Some scammers are even more ingenious, explained Tom Davis, head of managed services at Cloudserve, a cloud services provider. “Scammers crack the CEO's mailbox using a phishing email or a password cracker, then set up a series of rules to forward all emails sent to that account to another external account so that they can build up an image of the CEO's speaking patterns, contacts and mannerisms.”

While the scammer builds this picture of the CEO, they can patiently wait for a suitable email chain, possibly on the subject of payments, to emerge where they can simply drop in an extra line to the CFO regarding a change in payment details or new payment request where it would not necessarily seem out of place.

“These kind of attacks are much harder to spot and prevent,” said Davis. “The best way to prevent them is to keep your mailboxes secure in the first place using complex passwords and two-factor authentication and frequently checking your mailbox forwarding rules to ensure no-one is monitoring your inbound/outbound emails.”

The other way to protect yourself from scams is more low tech: ask. Enhance’s Coles explained she has always applied the same principal to internal payment requests as to external ones: “If you receive a request and you can’t immediately tell if it’s a scam or not, walk round or pick up the phone and ask the ‘sender’ if they sent it.

Industry insights

“Use your internal email directory to mail them back – not hitting reply to the email you received. And use your internal phone directory to get their number too.

“I am involved in a charity, and every time I get a payment request I’m asking them if they’ve verified it’s legitimate and independently verified the bank details. I sometimes feel like a broken record, but I know friends who have been scammed in this way – it doesn’t just happen to people ‘out there’.

“One friend lost £3,000 in a payment to a builder – the email had been hacked and the invoice details changed. There’s no such thing as a shortcut on checking out a payment request, even if it’s the most senior person in the company asking. They’ll appreciate you checking it out far more than being annoyed at a 30-second question.”

I had one from my boss, our MD when he was away on holiday and unavailable, which was just far too much of a coincidence to be true. I played along and got the bank details the scammers required the funds sent to, and using the IBAN quoted looked up and informed the bank concerned (In Romania) via email that they were hosting scammers. I also forwarded all details to City of London Police. Not a dicky bird back from either of them which just goes to show we are on our own.

I did the same and found the recipients accounts were with the High Street Banks. When approached they showed zero interest.

I have also found that these fraudsters use Linkedin as a major source of information. I have worked at two companies where, within a week of updating my new role on Linkedin, I have received a CEO scam email.

This happened to us a few months ago, someone in our payroll dept got an email from our 'MD' asking them to make an urgent payment, he didn't question it sadly and made payment. It was only picked up at the end of the day when the bank was being reconciled but we did manage to get the money back as we contacted the bank. The fraudulent bank account was then reported but I don't think anything came of it..